Share This Page

For the life of me, I can't seem to understand how to create a cheat.plg to use on my games. I know that I should be able to convert code from ARCode but there's no easy way to do it. I'm not a coder but I can read lines enough to follow a tut but there's not really one out there. I have Python installed, 9.5 emuN+NTR 3.0, and programmer's notepad and I don't know how I would sort the codes and compile it into a cheat.plg.
Here are the codes, I just don't know how it should be positioned in programmer's notepad.

those are fcram address not virtual memory address, which ntr uses
any code address above 03xxxxxx won't work on ntr
you will need a fcram dump and a 00100000 memory region dump from ntr if you want to convert them to work on ntr

tbh i just searched ram dumps with cheat engine and made my own codes with beyond the labyrinth, can take a few tries finding which memory region contains what it is your looking for, but once you find it most of the other stuff you would want to mod will be stored nearby

tbh i just searched ram dumps with cheat engine and made my own codes with beyond the labyrinth, can take a few tries finding which memory region contains what it is your looking for, but once you find it most of the other stuff you would want to mod will be stored nearby

Click to expand...

How do you use Cheat Engine with the Ram Dumps? I get that you'd use the NTR Debugger to create a RAM dump when a value changes to narrow down results but how do you use Cheat Engine's features with these dumps? The only way I've ever used CE before is hooking into a process.

Oh, and what part of memory on the 3DS do you dump? What addresses are game data? I know the NTR debugger has kernel access and can be dangerous. (I guess this wouldn't be an issue with just reading but just to be safe)

How do you use Cheat Engine with the Ram Dumps? I get that you'd use the NTR Debugger to create a RAM dump when a value changes to narrow down results but how do you use Cheat Engine's features with these dumps? The only way I've ever used CE before is hooking into a process.

Oh, and what part of memory on the 3DS do you dump? What addresses are game data? I know the NTR debugger has kernel access and can be dangerous. (I guess this wouldn't be an issue with just reading but just to be safe)

Here is the list of steps for example to see the memory content of player pocket in the animal crossing new leaf game:

Warning: Spoilers inside!

Code:

1. Play 3ds with NTR CFW for the game ACNL (with wireless switch on)
2. Check the IP address of the 3ds (e.g. 192.168.1.10)
3. Run ntrclient application on Windows PC
4. Execute the following command:
connect('192.168.1.10', 8000)
5. After the connection is establish, you could see the list of process by using command:
listprocess()
6. One of them is the ACNL game of interest (in this case the process name is GARDEN, and has pid # 0x25)
7. Then you could check the memory layout, for example:
> memlayout(0x25)
null
valid memregions:
00100000 - 00b6efff , size: 00a6f000
08000000 - 08073fff , size: 00074000
0ffc0000 - 10000fff , size: 00041000
10002000 - 10002fff , size: 00001000
14000000 - 174dcfff , size: 034dd000
1f000000 - 1f5fffff , size: 00600000
1ff50000 - 1ff57fff , size: 00008000
1ff70000 - 1ff77fff , size: 00008000
1ff80000 - 1ff81fff , size: 00002000
1ffad000 - 1ffaefff , size: 00002000
end of memlayout.
8. I could dump the biggest one and see whether the savegame file is in that part (i.e. finding
garden.dat file (extracted by using savefiler 3ds application) content inside this memory data
dump file, data.bin):
> data(0x14000000, 0x34DD000, filename='data.bin', pid=0x25)
9. garden.dat actually starts at offset 0x01FB7E80 in that data.bin file, so now we could try finding
the location of the pocket slots of the first player by changing the content in the first slot of the
pocket multiple times and dump those data.bin for each change. In this case, I could see the offset
is 0x1FBEAD0 (or 0x15FBEAD0 after taking into consideration that data.bin starts at 0x14000000 in
the memory of pid 0x25).
10. Now, we could use command to put a bag of 99,000 bells in that first slot of pocket:
write(0x15FBEAD0, (0x12, 0x21, 0x00, 0x00), pid=0x25)
11. Profit

Hope this clarifies.

Cheers.

Click to expand...

so thats a rough guide, but for example when i was making the beyond the lab codes i was doing it more like
data(0x08000000, 0x00522000, filename='p1-500hp-p2-600hp-p3-700hp.bin', pid=0x29)
loose hp
data(0x08000000, 0x00522000, filename='p1-400hp-p2-500hp-p3-600hp.bin', pid=0x29)
loose more hp
data(0x08000000, 0x00522000, filename='p1-300hp-p2-400hp-p3-500hp.bin', pid=0x29)

from there i can use the open file function on cheat engine to do searches like the good old action replays and search for more than one offset with each dump, so first i find P1's HP, then P2's, then player 3's etc etc

PS once you have the offset, say for example P1 HP is 0x921a4 in cheat engine you add this to the base offset of your dump so the final offset would be 0x80921a4, from there you can test it out before adding it to your plugin by using the write command eg

Awesome man. If possible could you attach your Beyond the Labyrinth plugin in a reply? I started playing that as well. The combat is pretty tedious though but I'm for some reason still interested in it.

I suppose I could make the cheat myself thanks your fantastic post but no reason to re-invent the wheel, lol.

Awesome man. If possible could you attach your Beyond the Labyrinth plugin in a reply? I started playing that as well. The combat is pretty tedious though but I'm for some reason still interested in it.

I suppose I could make the cheat myself thanks your fantastic post but no reason to re-invent the wheel, lol.

Awesome man. I'm gonna have to add a Wait Time resetter. I used 4 max charge attacks in a row setting my wait time to 99 for all characters. I had to no joke wait 4 minutes till I could attack again.
Even with cheats this game is tedious as hell.

Basically you need to do a ram dump (or several to get greater understanding of where your value is stored) with NTR, you need to find the offset you want to modify and you are doing it using this syntax:
<offset> <value>
each should be 16 bytes (prepend with 0s if necessary)

Basically you need to do a ram dump (or several to get greater understanding of where your value is stored) with NTR, you need to find the offset you want to modify and you are doing it using this syntax:
<offset> <value>
each should be 16 bytes (prepend with 0s if necessary)

Click to expand...

You will always need several RAM dumps, only one won't give you an exact result and you'd need to try hundreds of different addresses if you're not unlucky.

What you said about the 16 bytes thing is wrong, what you mean is 16 bits = 2 bytes and that is also not quite the case. When you're using the NTR debugger alone to modify your RAM aka write data to the RAM you need to write at least 2 bytes. Say if you'd want to write the value 0x02 to the address 0x00001234, you have to write a value to 0x000001233 or 0x00001235 as well since you need at least two bytes. Now, simply taking the value 0x00 for the second byte is a bad idea since this could overwrite crucial data for the game with a wrong value and therefore potentially mess up your save file. What you should do is read what value is stored at the address before or after the address you want to write to. Let's say you want to write to the address 0x00001234 again. Read the value at address 0x00001233 by using the command "data(0x00001233, 0x1, pid=0x??). The first number in the parentheses is the address you want to read, the second is the length, you only want to read this one value so it's 0x1 (the 0x is needed to show that the value is in hexadecimal, you have to put it there), the pid is something you have to find out yourself with the command "processlist()". Now you have the value of the address 0x00001233, let's say it's 0x5 for our example, and obviously you know which value you want to write to 0x00001234, let's say it's 0x63 or 99 in decimal for our example. To put that into the RAM of the 3DS you need to use the command "write(0x00001233, (0x5, 0x63), pid=0x??). This command will write the correct value to 0x00001233 which should be the same as it was anyway and it will write your desired value 0x63 to your desired offset 0x00001234.

Now how would you add this to your cheat plugin?
In the function responsible for the cheats you'd just have to add "WRITEU8(0x00001234, 0x63);" and that would be it. The WRITEU8 function writes 8 bits (= 1 byte) to the address specified by the first entry in the parentheses. The value you want to write is specified by the second argument in the parentheses, here it's 0x63. You can also right the value in decimal so the command would look like this: WRITEU8(0x00001234, 99);

If you'd like a more detailed explanation on how to write cheat plugins and how to find offsets with NTR Debugger I'd be glad to help you

editing a cheat.plg is possible ? (example:for replace an arcode inside a japan cheat.plg for an usa or european converted arcode)

Click to expand...

No, sadly this is not possible. You'd need to have the source code of the plugin you want to edit to do that. However, there is a source code for the cheat plugin for A Link Between Worlds out there. It would be very easy to put the codes you want in there.